CentOS docs - Apr 2019 - firewalld configuration for securing SSH

I'm not sure I follow, you just think the modified one should be called
"ssh-custom", or you think there shouldn't be a modified service
file
at all?

-- Kimee

On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote:
> Hi there,
> 
> Wouldn't that be a better solution to create a custom xml file to put
> in /etc/firewalld and load that "ssh-custom" service instead ?
> 
> Thanks
> 
> On 26/04/2019, Kimberlee Integer Model <kimee.i.model at gmail.com>
> wrote:
> > Thank you, I've gone in and made the listed changes changed
> > firewalld
> > sections to use services instead of just port numbers.
> > 
> > -- Kimee
> > 
> > 
> > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote:
> > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model
> > > <kimee.i.model at gmail.com> wrote:
> > > > 
> > > > HI all,
> > > > 
> > > > 1st time contributor here. I was using the guide on securing
> > > > SSH,
> > > > and
> > > > noticed that the firewall-cmd snippets for filtering by
> > > > requests
> > > > per
> > > > time seem somewhat outdated. From what I can tell the given
> > > > snippets,
> > > > relay arguments directly down to iptables, and do not cover
> > > > both
> > > > IPv4
> > > > and v6. (and in fact when attempting to extend to v6 the
> > > > firewall
> > > > would
> > > > fail to reload). I came up with an "all
firewall-cmd" solution
> > > > which
> > > > I'd like to share.
> > > > 
> > > > It boils down to using rich rules in firewalld instead of
> > > > direct
> > > > rules
> > > > for iptables. The code snippets in section 6 of <
> > > > https://wiki.centos.org/HowTos/Network/SecuringSSH>;;
would be
> > > > changed to
> > > > 
> > > > firewall-cmd --permanent --add-rich-rule='rule port
port="22"
> > > > protocol="tcp" accept limit
value="4/m"'
> > > > firewall-cmd --permanent --remove-service ssh
> > > > firewall-cmd --permanent --remove-port 22/tcp
> > > > firewall-cmd --reload
> > > > 
> > > > newly minted wiki username is "KimeeModel".
> > > > 
> > > > Regards,
> > > > Kimee
> > > 
> > > You should be able to edit that page. Let us know if you find any
> > > problem.
> > > 
> > > Akemi
> > > _______________________________________________
> > > CentOS-docs mailing list
> > > CentOS-docs at centos.org
> > > https://lists.centos.org/mailman/listinfo/centos-docs
> > 
> > _______________________________________________
> > CentOS-docs mailing list
> > CentOS-docs at centos.org
> > https://lists.centos.org/mailman/listinfo/centos-docs
> > 
> 
> _______________________________________________
> CentOS-docs mailing list
> CentOS-docs at centos.org
> https://lists.centos.org/mailman/listinfo/centos-docs

No, I think the rules you created might have a better place in a custom xml
file instead of being given to firewall cmd directly :)

On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model <
kimee.i.model at gmail.com> wrote:
> I'm not sure I follow, you just think the modified one should be called
> "ssh-custom", or you think there shouldn't be a modified
service file
> at all?
>
> -- Kimee
>
> On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote:
> > Hi there,
> >
> > Wouldn't that be a better solution to create a custom xml file to
put
> > in /etc/firewalld and load that "ssh-custom" service instead
?
> >
> > Thanks
> >
> > On 26/04/2019, Kimberlee Integer Model <kimee.i.model at
gmail.com>
> > wrote:
> > > Thank you, I've gone in and made the listed changes changed
> > > firewalld
> > > sections to use services instead of just port numbers.
> > >
> > > -- Kimee
> > >
> > >
> > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote:
> > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer Model
> > > > <kimee.i.model at gmail.com> wrote:
> > > > >
> > > > > HI all,
> > > > >
> > > > > 1st time contributor here. I was using the guide on
securing
> > > > > SSH,
> > > > > and
> > > > > noticed that the firewall-cmd snippets for filtering by
> > > > > requests
> > > > > per
> > > > > time seem somewhat outdated. From what I can tell the
given
> > > > > snippets,
> > > > > relay arguments directly down to iptables, and do not
cover
> > > > > both
> > > > > IPv4
> > > > > and v6. (and in fact when attempting to extend to v6
the
> > > > > firewall
> > > > > would
> > > > > fail to reload). I came up with an "all
firewall-cmd" solution
> > > > > which
> > > > > I'd like to share.
> > > > >
> > > > > It boils down to using rich rules in firewalld instead
of
> > > > > direct
> > > > > rules
> > > > > for iptables. The code snippets in section 6 of <
> > > > >
https://wiki.centos.org/HowTos/Network/SecuringSSH>;; would be
> > > > > changed to
> > > > >
> > > > > firewall-cmd --permanent --add-rich-rule='rule port
port="22"
> > > > > protocol="tcp" accept limit
value="4/m"'
> > > > > firewall-cmd --permanent --remove-service ssh
> > > > > firewall-cmd --permanent --remove-port 22/tcp
> > > > > firewall-cmd --reload
> > > > >
> > > > > newly minted wiki username is "KimeeModel".
> > > > >
> > > > > Regards,
> > > > > Kimee
> > > >
> > > > You should be able to edit that page. Let us know if you
find any
> > > > problem.
> > > >
> > > > Akemi
> > > > _______________________________________________
> > > > CentOS-docs mailing list
> > > > CentOS-docs at centos.org
> > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > >
> > > _______________________________________________
> > > CentOS-docs mailing list
> > > CentOS-docs at centos.org
> > > https://lists.centos.org/mailman/listinfo/centos-docs
> > >
> >
> > _______________________________________________
> > CentOS-docs mailing list
> > CentOS-docs at centos.org
> > https://lists.centos.org/mailman/listinfo/centos-docs
>
> _______________________________________________
> CentOS-docs mailing list
> CentOS-docs at centos.org
> https://lists.centos.org/mailman/listinfo/centos-docs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos-docs/attachments/20190427/1d138ace/attachment.html>

Ah. I understand now. I was considering roughly the same, but wasn't
sure whether that or rich rules was preferable.

-- Kimee


On Sat, 2019-04-27 at 01:39 +0200, Thibaut Perrin wrote:
> No, I think the rules you created might have a better place in a
> custom xml file instead of being given to firewall cmd directly :)
> 
> On Fri, 26 Apr 2019 at 23:01, Kimberlee Integer Model <
> kimee.i.model at gmail.com> wrote:
> > I'm not sure I follow, you just think the modified one should be
> > called
> > "ssh-custom", or you think there shouldn't be a modified
service
> > file
> > at all?
> > 
> > -- Kimee
> > 
> > On Fri, 2019-04-26 at 19:46 +0200, Thibaut Perrin wrote:
> > > Hi there,
> > > 
> > > Wouldn't that be a better solution to create a custom xml
file to
> > put
> > > in /etc/firewalld and load that "ssh-custom" service
instead ?
> > > 
> > > Thanks
> > > 
> > > On 26/04/2019, Kimberlee Integer Model <kimee.i.model at
gmail.com>
> > > wrote:
> > > > Thank you, I've gone in and made the listed changes
changed
> > > > firewalld
> > > > sections to use services instead of just port numbers.
> > > > 
> > > > -- Kimee
> > > > 
> > > > 
> > > > On Wed, 2019-04-24 at 17:05 -0700, Akemi Yagi wrote:
> > > > > On Wed, Apr 24, 2019 at 12:13 AM Kimberlee Integer
Model
> > > > > <kimee.i.model at gmail.com> wrote:
> > > > > > 
> > > > > > HI all,
> > > > > > 
> > > > > > 1st time contributor here. I was using the guide
on
> > securing
> > > > > > SSH,
> > > > > > and
> > > > > > noticed that the firewall-cmd snippets for
filtering by
> > > > > > requests
> > > > > > per
> > > > > > time seem somewhat outdated. From what I can tell
the given
> > > > > > snippets,
> > > > > > relay arguments directly down to iptables, and do
not cover
> > > > > > both
> > > > > > IPv4
> > > > > > and v6. (and in fact when attempting to extend to
v6 the
> > > > > > firewall
> > > > > > would
> > > > > > fail to reload). I came up with an "all
firewall-cmd"
> > solution
> > > > > > which
> > > > > > I'd like to share.
> > > > > > 
> > > > > > It boils down to using rich rules in firewalld
instead of
> > > > > > direct
> > > > > > rules
> > > > > > for iptables. The code snippets in section 6 of
<
> > > > > >
https://wiki.centos.org/HowTos/Network/SecuringSSH>;;;
> > would be
> > > > > > changed to
> > > > > > 
> > > > > > firewall-cmd --permanent --add-rich-rule='rule
port
> > port="22"
> > > > > > protocol="tcp" accept limit
value="4/m"'
> > > > > > firewall-cmd --permanent --remove-service ssh
> > > > > > firewall-cmd --permanent --remove-port 22/tcp
> > > > > > firewall-cmd --reload
> > > > > > 
> > > > > > newly minted wiki username is
"KimeeModel".
> > > > > > 
> > > > > > Regards,
> > > > > > Kimee
> > > > > 
> > > > > You should be able to edit that page. Let us know if
you find
> > any
> > > > > problem.
> > > > > 
> > > > > Akemi
> > > > > _______________________________________________
> > > > > CentOS-docs mailing list
> > > > > CentOS-docs at centos.org
> > > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > > > 
> > > > _______________________________________________
> > > > CentOS-docs mailing list
> > > > CentOS-docs at centos.org
> > > > https://lists.centos.org/mailman/listinfo/centos-docs
> > > > 
> > > 
> > > _______________________________________________
> > > CentOS-docs mailing list
> > > CentOS-docs at centos.org
> > > https://lists.centos.org/mailman/listinfo/centos-docs
> > 
> > _______________________________________________
> > CentOS-docs mailing list
> > CentOS-docs at centos.org
> > https://lists.centos.org/mailman/listinfo/centos-docs
> 
> _______________________________________________
> CentOS-docs mailing list
> CentOS-docs at centos.org
> https://lists.centos.org/mailman/listinfo/centos-docs